Automated management of network and host address blacklists, for use in EdgeRouter firewall rules.
To get started, perform these steps on your EdgeRouter from a CLI configure prompt:
set firewall group network-group Nets4-BlackList description 'Blacklisted IPv4 Sources'
cp updBlackList.sh /config/scripts/updBlackList.sh
cp fw-BlackList-URLs.txt /config/user-data/fw-BlackList-URLs.txt
cp loadBlackList.sh /cofnig/scripts/post-config.d/loadBlackList.sh
set system task-scheduler task Update-Blacklists executable path /config/scripts/updBlackList.sh
set system task-scheduler task Update-Blacklists interval 12h
/config/scripts/updBlackList.sh
You will also need to create a firewall rule to deny inbound source addresses
that match this network-group Nets4-BlackList
. An example using
a zone-based firewall might look like:
set firewall name wan-dmz-4 rule 1 source group network-group Nets4-BlackList
set firewall name wan-lan-4 rule 1 source group network-group Nets4-BlackList
set firewall name wan-self-4 rule 1 source group network-group Nets4-BlackList
That should get you going with minimal effort. However, you really should
revew fw-BlackList-URLs.txt
and edit as appropriate. The two scripts
both have configuration sections that you should also review and edit as
appropriate.
updBlackList.sh
is the actual tool that will fetch various blacklists,
consolidate into one group, and load into a pre-existing IPset already used
with firewall rulesets.
You may schedule this approprately for your needs, but the quick start above
provides for a daily update at noon and midnight.
The file fw-BlackList-URLs.txt
should contain the list of URLs to
individual blacklist of networks and hosts. Blank lines and comments
(beginning with a hash (#) are acceptable).
The sample provided here has many sources listed as a starting point,
though only some are enabled (uncommented).
'cURL
' will be used to fetch each of these individually,
exactly as listed.
Since the updBlackList.sh
tool directly manipulates IPsets and does
not reflect any changes in the EdgeOS config.boot
, contents of the
blacklist network-group are lost upon reboot/restart of the EdgeRouter.
The loadBlackList.sh
script addresses this by restoring the previously
saved network-group at boot time.
Alternatively, the updBlackList.sh
script may be re-run at boot-time.
This will take longer, however, since it will recreate the list newly.
IPset documentation may be found at http://ipset.netfilter.org
This work was inspired by the Emerging Threats Blacklist discussion thread in the Ubiquiti Networks community forums.